@@ -27,11 +27,30 @@ public MongoPersistenceProvider(IMongoDatabase database)
2727
2828 static MongoPersistenceProvider ( )
2929 {
30- // Register ObjectSerializer to allow deserialization of WorkflowCore types and user types
31- // This matches the pattern used in MongoDB tests which resolves serialization issues
30+ // Register ObjectSerializer to allow deserialization of user types while maintaining security
31+ // Allows all default types plus user-defined types (excluding system/framework types)
3232 BsonSerializer . TryRegisterSerializer ( new ObjectSerializer ( type =>
33- ObjectSerializer . DefaultAllowedTypes ( type ) ||
34- type . FullName ? . StartsWith ( "WorkflowCore" ) == true ) ) ;
33+ {
34+ // Allow all default MongoDB allowed types (primitives, collections, etc.)
35+ if ( ObjectSerializer . DefaultAllowedTypes ( type ) )
36+ return true ;
37+
38+ // Allow WorkflowCore types (for backward compatibility)
39+ if ( type . FullName ? . StartsWith ( "WorkflowCore" ) == true )
40+ return true ;
41+
42+ // Allow user types by excluding system/framework types
43+ // This prevents security issues while allowing user data classes
44+ var fullName = type . FullName ?? "" ;
45+ if ( fullName . StartsWith ( "System." ) ||
46+ fullName . StartsWith ( "Microsoft." ) ||
47+ fullName . StartsWith ( "System," ) ||
48+ fullName . StartsWith ( "Microsoft," ) )
49+ return false ;
50+
51+ // Allow all other types (user-defined types)
52+ return true ;
53+ } ) ) ;
3554
3655 ConventionRegistry . Register (
3756 "workflow.conventions" ,
0 commit comments